selinux: fix endianness bug in network node address handling
Fix an endianness bug in the handling of network node addresses by SELinux. This yields no change on little endian hardware but fixes the incorrect handling on big endian hardware. The network node addresses are stored in network order in memory by checkpolicy, not in cpu/host order, and thus should not have cpu_to_le32/le32_to_cpu conversions applied upon policy write/read unlike other data in the policy. Bug reported by John Weeks of Sun, who noticed that binary policy files built from the same policy source on x86 and sparc differed and tracked it down to the ipv4 address handling in checkpolicy. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
parent
242631c49d
commit
59dbd1ba98
@ -1478,7 +1478,8 @@ int policydb_read(struct policydb *p, void *fp)
|
|||||||
struct ocontext *l, *c, *newc;
|
struct ocontext *l, *c, *newc;
|
||||||
struct genfs *genfs_p, *genfs, *newgenfs;
|
struct genfs *genfs_p, *genfs, *newgenfs;
|
||||||
int i, j, rc;
|
int i, j, rc;
|
||||||
__le32 buf[8];
|
__le32 buf[4];
|
||||||
|
u32 nodebuf[8];
|
||||||
u32 len, len2, config, nprim, nel, nel2;
|
u32 len, len2, config, nprim, nel, nel2;
|
||||||
char *policydb_str;
|
char *policydb_str;
|
||||||
struct policydb_compat_info *info;
|
struct policydb_compat_info *info;
|
||||||
@ -1749,11 +1750,11 @@ int policydb_read(struct policydb *p, void *fp)
|
|||||||
goto bad;
|
goto bad;
|
||||||
break;
|
break;
|
||||||
case OCON_NODE:
|
case OCON_NODE:
|
||||||
rc = next_entry(buf, fp, sizeof(u32) * 2);
|
rc = next_entry(nodebuf, fp, sizeof(u32) * 2);
|
||||||
if (rc < 0)
|
if (rc < 0)
|
||||||
goto bad;
|
goto bad;
|
||||||
c->u.node.addr = le32_to_cpu(buf[0]);
|
c->u.node.addr = nodebuf[0]; /* network order */
|
||||||
c->u.node.mask = le32_to_cpu(buf[1]);
|
c->u.node.mask = nodebuf[1]; /* network order */
|
||||||
rc = context_read_and_validate(&c->context[0], p, fp);
|
rc = context_read_and_validate(&c->context[0], p, fp);
|
||||||
if (rc)
|
if (rc)
|
||||||
goto bad;
|
goto bad;
|
||||||
@ -1782,13 +1783,13 @@ int policydb_read(struct policydb *p, void *fp)
|
|||||||
case OCON_NODE6: {
|
case OCON_NODE6: {
|
||||||
int k;
|
int k;
|
||||||
|
|
||||||
rc = next_entry(buf, fp, sizeof(u32) * 8);
|
rc = next_entry(nodebuf, fp, sizeof(u32) * 8);
|
||||||
if (rc < 0)
|
if (rc < 0)
|
||||||
goto bad;
|
goto bad;
|
||||||
for (k = 0; k < 4; k++)
|
for (k = 0; k < 4; k++)
|
||||||
c->u.node6.addr[k] = le32_to_cpu(buf[k]);
|
c->u.node6.addr[k] = nodebuf[k];
|
||||||
for (k = 0; k < 4; k++)
|
for (k = 0; k < 4; k++)
|
||||||
c->u.node6.mask[k] = le32_to_cpu(buf[k+4]);
|
c->u.node6.mask[k] = nodebuf[k+4];
|
||||||
if (context_read_and_validate(&c->context[0], p, fp))
|
if (context_read_and_validate(&c->context[0], p, fp))
|
||||||
goto bad;
|
goto bad;
|
||||||
break;
|
break;
|
||||||
|
Loading…
Reference in New Issue
Block a user